DX
DEVOPS LABDevOpsLabX
devsecopscicdjenkinsdockersonarqubeowasptrivysecurity

DevSecOps End-to-End CI/CD with SonarQube, OWASP, Trivy, Docker and Jenkins (Complete Project Guide)

By Admin · 2/18/2026

096f9f22-6cc6-452a-b865-928faf0b0813 (1).webp

Embark on a journey into the realm of DevSecOps as we engineer a comprehensive CI/CD pipeline fortified with cutting-edge security measures. Here's the breakdown:

Prerequisites

Before you begin, ensure that the following prerequisites are met:

  1. Create an AWS Account.

  2. Install Docker.

  3. Install Jenkins.

  4. Install SonarQube.

  5. Install Trivy.

  6. Install Owasp.

Install Docker:

  • Install Docker on each instance. You can use the official Docker installation instructions for your operating system.
sudo apt update
sudo apt install docker.io
sudo chown $USER /var/run/docker.sock

Install Jenkins:

  • To install jenkins follow these commands:
  sudo apt update
  sudo apt install fontconfig openjdk-17-jre
  java -version

  sudo wget -O /usr/share/keyrings/jenkins-keyring.asc \
  https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key
  echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
  https://pkg.jenkins.io/debian-stable binary/ | sudo tee \
  /etc/apt/sources.list.d/jenkins.list > /dev/null

  sudo apt-get update
  sudo apt-get install jenkins
  sudo systemctl start jenkins
  sudo systemctl enable jenkins

To Access the Jenkins Server on port 8080 along with your Public IPv4:

Install SonarQube:

  • To run sonarqube through docker run these commands:
docker run -itd --name sonarqube-server -p 9000:9000 sonarqube:lts-community

To access the sonarqube server on port 9000 along with your Public IPv4::

Install Trivy:

  • To install trivy follow these commands:
sudo apt-get install wget apt-transport-https gnupg lsb-release -y
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update -y
sudo apt-get install trivy -y

Configuring Jenkins and SonarQube Integration:

  • It several steps to enable seamless code analysis within your CI/CD pipeline. Here's a guide to help you set it up:

Prerequisites:

  • Ensure you have Jenkins and SonarQube installed and running in your environment.

  • Obtain the necessary authentication tokens or credentials for Jenkins and SonarQube.

Steps:

  1. Install Jenkins Plugins:

    • Log in to your Jenkins dashboard and navigate to "Manage Jenkins" > "Manage Plugins".

    • Install the necessary plugins for SonarQube integration, such as "SonarQube Scanner" and any other required plugins.

  1. Configure SonarQube Server:

  • Go to "Manage Jenkins" > "Configure System".

  • Scroll down to the "SonarQube servers" section and click on "Add SonarQube".

  • Provide a name for the SonarQube server and specify the server URL.

  • Add the authentication token or credentials for connecting to SonarQube.

  1. Create SonarQube Scanner Configuration:

    • In your Jenkins dashboard, navigate to "Manage Jenkins" > "Global Tool Configuration".

    • Scroll down to the "SonarQube Scanner" section and click on "Add SonarQube Scanner".

    • Specify a name for the scanner and provide the installation directory.

Configure CI/CD Pipeline in Jenkins:

  • Create a CI/CD pipeline in Jenkins to automate your application deployment.
pipeline{
    agent any
    environment{
        SONAR_HOME= tool "Sonar"
    }
    stages{
        stage("Clone Code from GitHub"){
            steps{
                git url: "https://github.com/krishnaacharyaa/wanderlust.git", branch: "devops"
            }
        }
        stage("SonarQube Quality Analysis"){
            steps{
                withSonarQubeEnv("Sonar"){
                    sh "$SONAR_HOME/bin/sonar-scanner -Dsonar.projectName=wanderlust -Dsonar.projectKey=wanderlust"
                }
            }
        }
        stage("OWASP Dependency Check"){
            steps{
                dependencyCheck additionalArguments: '--scan ./', odcInstallation: 'dc'
                dependencyCheckPublisher pattern: '**/dependency-check-report.xml'
            }
        }
        stage("Sonar Quality Gate Scan"){
            steps{
                timeout(time: 2, unit: "MINUTES"){
                    waitForQualityGate abortPipeline: false
                }
            }
        }
        stage("Trivy File System Scan"){
            steps{
                sh "trivy fs --format  table -o trivy-fs-report.html ."
            }
        }
        stage("Deploy using Docker compose"){
            steps{
                sh "docker-compose up -d"
            }
        }
    }
}

Build the Pipeline:

Now, access your website:

  • To access your webpage on port 5173 alog with your Public IPv4:

By architecting an end-to-end CI/CD pipeline fortified with SonarQube, OWASP, Trivy, Docker, and Jenkins, we're advancing towards a DevSecOps paradigm where security is ingrained into every phase of the software development lifecycle. Together, we're forging resilient, secure, and agile software solutions in the dynamic landscape of modern technology. 🌐🛡️ #DevSecOps #CI/CD #SecurityFirst #ContinuousDelivery 🚀🔒

#devops#docker#github#git#jenkins#sonarqube#trivy#codenewbies#javascript#docker-compose#owasp#developer#css#html5#hashnode

Topic cluster

More devsecops Articles

Latest related posts connected by shared tags.

Deploying a Two-Tier Flask Application with Docker on AWS EC2 (Complete Project Guide)

2/18/2026

Creating a Jenkins Declarative CI/CD Pipeline Using GitHub, Docker and EC2 (Step-by-Step Guide)

2/18/2026

Docker Mastery: Complete Beginner to Advanced Guide (2026 Edition)

2/18/2026

Deploy Netflix Clone on AWS using Jenkins CI/CD Pipeline (Step-by-Step Guide)

2/18/2026

Deploying Video to Audio Python Microservices App on Kubernetes (Microservices Project Guide)

2/18/2026

Continue learning

Related internal resources

Jump deeper with documentation, cheat sheets, and the full roadmap.

Tool page: JenkinsTool page: DockerCheat sheet: JenkinsDevOps roadmap →